Full Report
Cisco has suffered a cyberattack after threat actors used stolen credentials from the recent Trivy supply chain attack to breach its internal development environment and steal source code belonging to the company and its customers. [...]
Analysis Summary
# Incident Report: Cisco Source Code Theft via Trivy Supply Chain Attack
## Executive Summary
Cisco's internal development environment was compromised after threat actors leveraged stolen credentials obtained from a supply chain attack on the Trivy vulnerability scanner. The breach resulted in the unauthorized cloning of over 300 GitHub repositories, including proprietary AI source code and customer data. Cisco has since contained the breach, isolated affected systems, and initiated a large-scale credential rotation.
## Incident Details
- **Discovery Date:** March 2026 (Inferred)
- **Incident Date:** March 2026
- **Affected Organization:** Cisco Systems, Inc.
- **Sector:** Information Technology / Cybersecurity
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** March 2026
- **Vector:** Supply Chain Compromise (Trivy GitHub Action)
- **Details:** Threat actors (TeamPCP) compromised the Trivy vulnerability scanner's GitHub pipeline. Cisco's build environment utilized a malicious "GitHub Action plugin" which deployed the "TeamPCP Cloud Stealer" to harvest CI/CD credentials.
### Lateral Movement
- **Details:** Using credentials harvested by the malicious GitHub Action, attackers moved from the CI/CD pipeline to Cisco’s AWS environment and internal GitHub repositories. Attackers accessed dozens of devices, including developer workstations and lab environments.
### Data Exfiltration/Impact
- **Details:** Attackers cloned over 300 GitHub repositories. This included source code for Cisco AI Assistants, AI Defense, and unreleased products. Additionally, source code belonging to Cisco customers (banks, BPOs, and US government agencies) was stolen from these repositories. Multiple AWS keys were also exfiltrated and used for unauthorized activities.
### Detection & Response
- **Discovery:** Identified by Cisco’s Unified Intelligence Center, CSIRT, and EOC teams.
- **Response Actions:** Immediate isolation of compromised workstations; initiation of "wide-scale" credential rotation; reimaging of impacted developer and lab devices.
## Attack Methodology
- **Initial Access:** Supply chain compromise of a third-party tool (Trivy).
- **Persistence:** Malicious GitHub Action plugin.
- **Privilege Escalation:** Not specified, but likely via harvested high-privilege CI/CD tokens.
- **Defense Evasion:** Use of legitimate GitHub Actions to mask malicious activity.
- **Credential Access:** TeamPCP Cloud Stealer (Infostealer) targeting CI/CD and AWS keys.
- **Discovery:** Automated scanning of GitHub repositories and AWS environments.
- **Lateral Movement:** Credential pivoting from CI/CD tools to Cloud (AWS) and Version Control (GitHub).
- **Collection:** Cloning of 300+ repositories.
- **Exfiltration:** Transfer of source code and AWS environment data.
- **Impact:** Intellectual property theft and compromise of customer-owned code.
## Impact Assessment
- **Financial:** Undisclosed, but significant costs associated with IR and potential legal liabilities regarding customer code theft.
- **Data Breach:** Over 300 repositories; sensitive AI source code; customer code (Gov/Finance sectors).
- **Operational:** Disruption to development workflows; required reimaging of dozens of workstations.
- **Reputational:** High; loss of trust regarding the security of Cisco’s AI products and their handling of customer source code.
## Indicators of Compromise
- **Network indicators:** Connections to known TeamPCP C2 infrastructure (not specified in article but linked to "TeamPCP Cloud Stealer").
- **File indicators:** Malicious GitHub Action plugin associated with the Trivy compromise.
- **Behavioral indicators:** Unusual GitHub repository cloning patterns; unauthorized AWS API calls using stolen keys.
## Response Actions
- **Containment:** Isolated impacted developer and lab workstations.
- **Eradication:** Wide-scale rotation of AWS and GitHub credentials/tokens.
- **Recovery:** Reimaging of contaminated hardware and auditing of AWS accounts for persistent backdoors.
## Lessons Learned
- **Key Takeaways:** Trust in third-party GitHub Actions must be verified, not assumed. Even security-focused tools (Trivy) can become vectors for supply chain attacks.
- **What could have been done better:** Implementation of stricter "least privilege" scopes for GitHub Action tokens and more robust monitoring for bulk repository cloning.
## Recommendations
- **Vendor Risk Management:** Pin GitHub Actions to specific commit SHA-1 hashes rather than version tags to prevent automated updates to malicious versions.
- **Secrets Management:** Use short-lived, dynamically generated credentials (like AWS IAM Roles for GitHub Actions via OIDC) instead of permanent AWS keys.
- **Monitoring:** Implement alerting for mass data exfiltration from GitHub and anomalies in AWS "Create" or "Describe" calls from CI/CD environments.